Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial
Business Associate Agreement
Too Much (Protected Health) Information Exposed + Too Little Response = $3M and Corrective Action Plan for Medical Imaging Company
“TMI” usually means “too much information”, but it was used aptly by the Office for Civil Rights (OCR) as an acronym for a covered entity that exposed protected health information (PHI) of more than 300,000 patients through an insecurely configured server. According to the April 5, 2019 Resolution Agreement, the covered entity, Touchstone Medical…
To BAA or Not to BAA? The Question a Florida Provider Should Have Asked in 2011 Results in a Half Million Dollar Payment in 2018
Yesterday’s listserv announcement from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) brought to mind this question. The post announces the agreement by a Florida company, Advanced Care Hospitalists PL (ACH), to pay $500,000 and adopt a “substantial corrective action plan”. The first alleged HIPAA violation? Patient…
Bankrupt Medical Records Company Hit with $100,000 Penalty for HIPAA Violations
Filefax, Inc., a defunct Illinois medical records storage and management company, has been fined $100,000 for improperly handling medical data under an agreement with the court-appointed receiver managing the company’s assets on behalf of its creditors. This settlement has implications for both service providers and their covered entity clients. Fox Rothschild partners Elizabeth Litten and…
Beware: HIPAA Applies to the Health Plans You Never Knew You Had (Part 1: Employee Assistance Programs)
You may be surprised to learn that those “extra” benefits your company offers to its employees such as your employee assistance program (“EAP”) and wellness program likely are subject to the HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”). Part 1 covers why most EAPs are subject to the HIPAA Rules. Part 2…
5 Practical Steps for Business Associate Compliance
Congratulations! You have a HIPAA-compliant business associate (or subcontractor) agreement in place – now what? How can you implement the agreement without becoming a HIPAA guru?
There are many resources available that offer detailed guidance on risk analysis and implementation protocols (such as the Guide to Privacy and Security of Electronic Health Information published by…
HIPAA Compliance Trends for 2015
As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year. While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 …
Michael Kline’s “List of Considerations” for Indemnification Provisions in Business Associate Agreements
I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s “List of Considerations” before signing. Michael’s list, included in an article he wrote that was recently published in the American Health Lawyers Association’s “AHLA Weekly” and available here, highlights practical and…
Connecticut Supreme Court Recognizes Individual’s Right for State Tort Action Using HIPAA as Standard of Care
The Connecticut Supreme Court handed down a decision in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) that
[a]ssuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of
…
Countdown to September 22nd — Shortcuts for Business Associate Agreement Compliance
The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today. What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements? Here are 3…